RE: Cisco 2621 opinions

["Iannaccone, Al" <Al.Iannaccone () occ treas gov>]

Hello;

You can also download a free 56 bit DES license (for PiX) from Cisco by
following this link:

http://www.cisco.com/cgi-bin/Software/FormManager/formgenerator.pl?pid=221&f
id=324

You will need a CCO logon. 

Hope this helps,

Al

-----Original Message-----
From: Kent, Ashley [mailto:akent () ue com au] 
Sent: Sunday, July 14, 2002 7:42 PM
To: 'firewall-wizards () nfr net'
Subject: RE: [fw-wiz] Cisco 2621 opinions

Joe,

I use both 2600s running firewall ios and pix firewalls on my network (about
2000 pcs spread 10 sites). Both provide good basic firewalling capabilities.
There are of course advantages and disadvantages for both platforms:

A 2600 with firewall ios can act as both a firewall and a router. You can
terminate vlans on it and have it route packets between your networks. A pix
is only a firewall. If you want to protect your perimeter you either need a
router running firewall ios, or a pix and a router. If your isp provides the
perimeter router then I guess it doesn't matter, but if not you can save
money by using firewall ios since you only need to buy one device. 

As I see it there are three advantages to using a pix - throughput, ease of
configuration, and DMZs. 

Pixes are capable of securing much larger streams of traffic than a 2600
with firewall ios. However in your case since your network is reasonably
small and it seems you won't be loading up your firewall with heaps of rules
the 2600 should be ok. I've used 2600s with firewall ios on 10 mbps
connections and they seem to hold up to the strain.

On the configuration side however you will find a 2600 with firewall ios can
be a little complicated to set up, particularly if you are new to the cisco
world. The cisco website does have some excellent examples you can take a
look at though. A pix is easy to configure, and the pix device manager
version 2 is now available for free from cisco. This is a web browser based
tool that makes configuring up a pix very easy (even vpn config is a
breeze). I'm not saying that you won't be capable of configuring the 2600 -
just make sure you can set up a test lab and test things thoroughly before
you deploy it on your production network.

Lastly a pix with a 4FE card gives you the ability to easily set up multiple
DMZs. I'm not sure if you need this capability but I would be surprised if
you did not. A 2600 could also give you this capability if you put in an
ethernet wic, but I've never done this so I'm not sure how difficult the
config is.


Also note that just about all cisco routers support ssh. You just need to
load up an ios image that supports DES or 3DES. These images tend to require
more flash and memory than the non ssh capable images, but it is worth the
expense. I have 1700s, 2500s, 2600s and 4500s on my network and every single
device supports ssh (although the performance of the 2500s degrades
noticeable when using ssh).



Hope this helps,


Ash.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards